"…Kilgallin is sceptical about pre-loading devices with keys during manufacturing, because it opens up devices to supply chain attacks in which an untrustworthy manufacturer or logistics company tampers with the keys en route.
Certificates also expire, he points out, meaning that they’d have to be re-generated periodically on the device anyway. An alternative, he suggests, is to get better random input during an onboard key generation process. Because IoT devices are network connected, they can easily get true random data from various sources, he says. That would let them generate higher-entropy keys even with limited computing power and memory…"
I’ve been trying to figure out the best way to fix issue for wireless APs and network routers that have their own SSL certificate.
Would it be safe to replace the public and private key on these kinds of devices over SSH with a custom set of certs?
Could this be a long term issue that has to be dealt with by the manufacturers fo these devices we buy?
Would replacing the current cert with one like a Letsencrypt cert be wise even if i had a way to ssh into it and update it with new certs automatically?